/*
 * Wazuh app - Mitre sample alerts
 * Copyright (C) 2015-2020 Wazuh, Inc.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * Find more information about this on the LICENSE file.
 */

// Mitre
export const arrayMitreRules = [
  {
    filename: '0015-ossec_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 504,
    level: 3,
    status: 'enabled',
    details: { if_sid: '500', match: 'Agent disconnected' },
    pci_dss: ['10.6.1', '10.2.6'],
    gpg13: ['10.1'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'AU.14', 'AU.5'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.8'],
    mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] },
    groups: ['ossec'],
    description: 'Ossec agent disconnected.',
  },
  {
    filename: '0015-ossec_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 505,
    level: 3,
    status: 'enabled',
    details: { if_sid: '500', match: 'Agent removed' },
    pci_dss: ['10.6.1', '10.2.6'],
    gpg13: ['10.1'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'AU.14', 'AU.5'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.8'],
    mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] },
    groups: ['ossec'],
    description: 'Ossec agent removed.',
  },
  {
    filename: '0015-ossec_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 518,
    level: 9,
    status: 'enabled',
    details: { if_sid: '514', match: 'Adware|Spyware' },
    gpg13: ['4.2'],
    gdpr: ['IV_35.7.d'],
    mitre: {
      tactic: ['Lateral Movement'],
      id: ['T1017'],
      technique: ['Application Deployment Software'],
    },
    groups: ['rootcheck', 'ossec'],
    description: 'Windows Adware/Spyware application found.',
  },
  {
    filename: '0015-ossec_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 550,
    level: 7,
    status: 'enabled',
    details: { category: 'ossec', decoded_as: 'syscheck_integrity_changed' },
    pci_dss: ['11.5'],
    gpg13: ['4.11'],
    gdpr: ['II_5.1.f'],
    hipaa: ['164.312.c.1', '164.312.c.2'],
    nist_800_53: ['SI.7'],
    tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Impact'], id: ['T1492'], technique: ['Stored Data Manipulation'] },
    groups: ['syscheck', 'ossec'],
    description: 'Integrity checksum changed.',
  },
  {
    filename: '0015-ossec_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 553,
    level: 7,
    status: 'enabled',
    details: { category: 'ossec', decoded_as: 'syscheck_deleted' },
    pci_dss: ['11.5'],
    gpg13: ['4.11'],
    gdpr: ['II_5.1.f'],
    hipaa: ['164.312.c.1', '164.312.c.2'],
    nist_800_53: ['SI.7'],
    tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Defense Evasion', 'Impact'],
      id: ['T1107', 'T1485'],
      technique: ['File Deletion', 'Data Destruction'],
    },
    groups: ['syscheck', 'ossec'],
    description: 'File deleted.',
  },
  {
    filename: '0015-ossec_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 592,
    level: 8,
    status: 'enabled',
    details: { if_sid: '500', match: '^ossec: File size reduced' },
    pci_dss: ['10.5.2', '11.4'],
    gpg13: ['10.1'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.9', 'SI.4'],
    tsc: ['CC6.1', 'CC7.2', 'CC7.3', 'CC6.8'],
    mitre: { tactic: ['Impact'], id: ['T1492'], technique: ['Stored Data Manipulation'] },
    groups: ['attacks', 'ossec'],
    description: 'Log file size reduced.',
  },
  {
    filename: '0015-ossec_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 593,
    level: 9,
    status: 'enabled',
    details: { if_sid: '500', match: '^ossec: Event log cleared' },
    pci_dss: ['10.5.2'],
    gpg13: ['10.1'],
    gdpr: ['II_5.1.f', 'IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.9'],
    tsc: ['CC6.1', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Defense Evasion'], id: ['T1070'], technique: ['Indicator Removal on Host'] },
    groups: ['logs_cleared', 'ossec'],
    description: 'Microsoft Event log cleared.',
  },
  {
    filename: '0015-ossec_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 594,
    level: 5,
    status: 'enabled',
    details: { category: 'ossec', if_sid: '550', hostname: 'syscheck-registry' },
    pci_dss: ['11.5'],
    gpg13: ['4.13'],
    gdpr: ['II_5.1.f'],
    hipaa: ['164.312.c.1', '164.312.c.2'],
    nist_800_53: ['SI.7'],
    tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Impact'], id: ['T1492'], technique: ['Stored Data Manipulation'] },
    groups: ['syscheck', 'ossec'],
    description: 'Registry Integrity Checksum Changed',
  },
  {
    filename: '0015-ossec_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 597,
    level: 5,
    status: 'enabled',
    details: { category: 'ossec', if_sid: '553', hostname: 'syscheck-registry' },
    pci_dss: ['11.5'],
    gpg13: ['4.13'],
    gdpr: ['II_5.1.f'],
    hipaa: ['164.312.c.1', '164.312.c.2'],
    nist_800_53: ['SI.7'],
    tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Defense Evasion', 'Impact'],
      id: ['T1107', 'T1485'],
      technique: ['File Deletion', 'Data Destruction'],
    },
    groups: ['syscheck', 'ossec'],
    description: 'Registry Entry Deleted.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 1003,
    level: 13,
    status: 'enabled',
    details: { maxsize: '1025', noalert: '1' },
    gpg13: ['4.3'],
    mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] },
    groups: ['syslog', 'errors'],
    description: 'Non standard syslog message (size too large).',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 2301,
    level: 10,
    status: 'enabled',
    details: { match: '^Deactivating service ' },
    pci_dss: ['10.6.1'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6'],
    tsc: ['CC7.2', 'CC7.3'],
    mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] },
    groups: ['syslog', 'xinetd'],
    description: 'xinetd: Excessive number connections to a service.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 2502,
    level: 10,
    status: 'enabled',
    details: { match: 'more authentication failures;|REPEATED login failures' },
    pci_dss: ['10.2.4', '10.2.5'],
    gpg13: ['7.8'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] },
    groups: ['authentication_failed', 'syslog', 'access_control'],
    description: 'syslog: User missed the password more than one time',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 2503,
    level: 5,
    status: 'enabled',
    details: {
      regex: [
        '^refused connect from|',
        '^libwrap refused connection|',
        'Connection from S+ denied',
      ],
    },
    pci_dss: ['10.2.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Command and Control'],
      id: ['T1095'],
      technique: ['Standard Non-Application Layer Protocol'],
    },
    groups: ['access_denied', 'syslog', 'access_control'],
    description: 'syslog: Connection blocked by Tcp Wrappers.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 2504,
    level: 9,
    status: 'enabled',
    details: { match: 'ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED' },
    pci_dss: ['10.2.4', '10.2.5', '10.2.2'],
    gpg13: ['7.8'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7', 'AC.6'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] },
    groups: ['invalid_login', 'syslog', 'access_control'],
    description: 'syslog: Illegal root login.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 2551,
    level: 10,
    status: 'enabled',
    details: { if_sid: '2550', regex: '^Connection from S+ on illegal port$' },
    pci_dss: ['10.6.1'],
    gpg13: ['7.1'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6'],
    tsc: ['CC7.2', 'CC7.3'],
    mitre: { tactic: ['Discovery'], id: ['T1046'], technique: ['Network Service Scanning'] },
    groups: ['connection_attempt', 'syslog', 'access_control'],
    description: 'Connection to rshd from unprivileged port. Possible network scan.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 2833,
    level: 8,
    status: 'enabled',
    details: { if_sid: '2832', match: '^(root)' },
    pci_dss: ['10.2.7', '10.6.1', '10.2.2'],
    gpg13: ['4.13'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AU.6', 'AC.6'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] },
    groups: ['syslog', 'cron'],
    description: "Root's crontab entry changed.",
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 2960,
    level: 2,
    status: 'enabled',
    details: { decoded_as: 'gpasswd', match: 'added by' },
    gpg13: ['7.9', '4.13'],
    gdpr: ['IV_32.2'],
    mitre: { tactic: ['Persistence'], id: ['T1136'], technique: ['Create Account'] },
    groups: ['syslog', 'yum'],
    description: 'User added to group.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 2961,
    level: 5,
    status: 'enabled',
    details: { if_sid: '2960', group: 'sudo' },
    gpg13: ['7.9', '4.13'],
    gdpr: ['IV_32.2'],
    mitre: { tactic: ['Persistence'], id: ['T1136'], technique: ['Create Account'] },
    groups: ['syslog', 'yum'],
    description: 'User added to group sudo.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 2964,
    level: 10,
    status: 'enabled',
    details: { frequency: '4', timeframe: '30', if_matched_sid: '2963', same_source_ip: '' },
    pci_dss: ['11.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] },
    groups: ['recon', 'syslog', 'perdition'],
    description: 'perdition: Multiple connection attempts from same source.',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3102,
    level: 5,
    status: 'enabled',
    details: { if_sid: '3101', match: 'reject=451 4.1.8 ' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'sendmail'],
    description:
      'sendmail: Sender domain does not have any valid MX record (Requested action aborted).',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3103,
    level: 6,
    status: 'enabled',
    details: { if_sid: '3101', match: 'reject=550 5.0.0 |reject=553 5.3.0' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'sendmail'],
    description: 'sendmail: Rejected by access list (55x: Requested action not taken).',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3104,
    level: 6,
    status: 'enabled',
    details: { if_sid: '3101', match: 'reject=550 5.7.1 ' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'sendmail'],
    description: 'sendmail: Attempt to use mail server as relay (550: Requested action not taken).',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3105,
    level: 5,
    status: 'enabled',
    details: { if_sid: '3101', match: 'reject=553 5.1.8 ' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'sendmail'],
    description: 'sendmail: Sender domain is not found  (553: Requested action not taken).',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3106,
    level: 5,
    status: 'enabled',
    details: { if_sid: '3101', match: 'reject=553 5.5.4 ' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'sendmail'],
    description: 'sendmail: Sender address does not have domain (553: Requested action not taken).',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3108,
    level: 6,
    status: 'enabled',
    details: { if_sid: '3100', match: 'rejecting commands from' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'sendmail'],
    description: 'sendmail: Sendmail rejected due to pre-greeting.',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3151,
    level: 10,
    status: 'enabled',
    details: { frequency: '8', timeframe: '120', if_matched_sid: '3102', same_source_ip: '' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Collection', 'Impact'],
      id: ['T1114', 'T1499'],
      technique: ['Email Collection', 'Endpoint Denial of Service'],
    },
    groups: ['multiple_spam', 'syslog', 'sendmail'],
    description: 'sendmail: Sender domain has bogus MX record. It should not be sending e-mail.',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3152,
    level: 6,
    status: 'enabled',
    details: { frequency: '8', timeframe: '120', if_matched_sid: '3103', same_source_ip: '' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Collection', 'Impact'],
      id: ['T1114', 'T1499'],
      technique: ['Email Collection', 'Endpoint Denial of Service'],
    },
    groups: ['multiple_spam', 'syslog', 'sendmail'],
    description:
      'sendmail: Multiple attempts to send e-mail from a previously rejected sender (access).',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3153,
    level: 6,
    status: 'enabled',
    details: { frequency: '8', timeframe: '120', if_matched_sid: '3104', same_source_ip: '' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Collection', 'Impact'],
      id: ['T1114', 'T1499'],
      technique: ['Email Collection', 'Endpoint Denial of Service'],
    },
    groups: ['multiple_spam', 'syslog', 'sendmail'],
    description: 'sendmail: Multiple relaying attempts of spam.',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3154,
    level: 10,
    status: 'enabled',
    details: { frequency: '8', timeframe: '120', if_matched_sid: '3105', same_source_ip: '' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Collection', 'Impact'],
      id: ['T1114', 'T1499'],
      technique: ['Email Collection', 'Endpoint Denial of Service'],
    },
    groups: ['multiple_spam', 'syslog', 'sendmail'],
    description: 'sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain.',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3155,
    level: 10,
    status: 'enabled',
    details: { frequency: '8', timeframe: '120', if_matched_sid: '3106', same_source_ip: '' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Collection', 'Impact'],
      id: ['T1114', 'T1499'],
      technique: ['Email Collection', 'Endpoint Denial of Service'],
    },
    groups: ['multiple_spam', 'syslog', 'sendmail'],
    description: 'sendmail: Multiple attempts to send e-mail from invalid/unknown sender.',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3156,
    level: 10,
    status: 'enabled',
    details: { frequency: '12', timeframe: '120', if_matched_sid: '3107', same_source_ip: '' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Collection', 'Impact'],
      id: ['T1114', 'T1499'],
      technique: ['Email Collection', 'Endpoint Denial of Service'],
    },
    groups: ['multiple_spam', 'syslog', 'sendmail'],
    description: 'sendmail: Multiple rejected e-mails from same source ip.',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3158,
    level: 10,
    status: 'enabled',
    details: { frequency: '8', timeframe: '120', if_matched_sid: '3108', same_source_ip: '' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Collection', 'Impact'],
      id: ['T1114', 'T1499'],
      technique: ['Email Collection', 'Endpoint Denial of Service'],
    },
    groups: ['multiple_spam', 'syslog', 'sendmail'],
    description: 'sendmail: Multiple pre-greetings rejects.',
  },
  {
    filename: '0025-sendmail_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3191,
    level: 6,
    status: 'enabled',
    details: { if_sid: '3190', match: '^sender check failed|^sender check tempfailed' },
    pci_dss: ['11.4'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['smf-sav', 'spam', 'syslog', 'sendmail'],
    description: 'sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED).',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3301,
    level: 6,
    status: 'enabled',
    details: { if_sid: '3300', id: '^554$' },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'postfix'],
    description: 'Postfix: Attempt to use mail server as relay (client host rejected).',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3302,
    level: 6,
    status: 'enabled',
    details: { if_sid: '3300', id: '^550$' },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'postfix'],
    description: 'Postfix: Rejected by access list (Requested action not taken).',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3303,
    level: 5,
    status: 'enabled',
    details: { if_sid: '3300', id: '^450$' },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'postfix'],
    description: 'Postfix: Sender domain is not found (450: Requested mail action not taken).',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3304,
    level: 5,
    status: 'enabled',
    details: { if_sid: '3300', id: '^503$' },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'postfix'],
    description:
      'Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands).',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3305,
    level: 5,
    status: 'enabled',
    details: { if_sid: '3300', id: '^504$' },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'postfix'],
    description:
      'Postfix: Recipient address must contain FQDN (504: Command parameter not implemented).',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3306,
    level: 6,
    status: 'enabled',
    details: { if_sid: '3301, 3302', match: ' blocked using ' },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'postfix'],
    description: 'Postfix: IP Address black-listed by anti-spam (blocked).',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3330,
    level: 10,
    status: 'enabled',
    details: {
      ignore: '240',
      if_sid: '3320',
      match: [
        'defer service failure|Resource temporarily unavailable|',
        '^fatal: the Postfix mail system is not running',
      ],
    },
    pci_dss: ['10.6.1'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6'],
    tsc: ['CC7.2', 'CC7.3'],
    mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] },
    groups: ['service_availability', 'syslog', 'postfix'],
    description: 'Postfix process error.',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3335,
    level: 6,
    status: 'enabled',
    details: { if_sid: '3320', match: '^too many ' },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'postfix'],
    description: 'Postfix: too many errors after RCPT from unknown',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3351,
    level: 6,
    status: 'enabled',
    details: {
      frequency: '$POSTFIX_FREQ',
      timeframe: '90',
      if_matched_sid: '3301',
      same_source_ip: '',
    },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: {
      tactic: ['Collection', 'Impact'],
      id: ['T1114', 'T1499'],
      technique: ['Email Collection', 'Endpoint Denial of Service'],
    },
    groups: ['multiple_spam', 'syslog', 'postfix'],
    description: 'Postfix: Multiple relaying attempts of spam.',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3352,
    level: 6,
    status: 'enabled',
    details: {
      frequency: '$POSTFIX_FREQ',
      timeframe: '120',
      if_matched_sid: '3302',
      same_source_ip: '',
    },
    pci_dss: ['10.6.1', '11.4'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: {
      tactic: ['Collection', 'Impact'],
      id: ['T1114', 'T1499'],
      technique: ['Email Collection', 'Endpoint Denial of Service'],
    },
    groups: ['multiple_spam', 'syslog', 'postfix'],
    description: 'Postfix: Multiple attempts to send e-mail from a rejected sender IP (access).',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3353,
    level: 10,
    status: 'enabled',
    details: {
      frequency: '$POSTFIX_FREQ',
      timeframe: '120',
      if_matched_sid: '3303',
      same_source_ip: '',
    },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: {
      tactic: ['Collection', 'Impact'],
      id: ['T1114', 'T1499'],
      technique: ['Email Collection', 'Endpoint Denial of Service'],
    },
    groups: ['multiple_spam', 'syslog', 'postfix'],
    description: 'Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain.',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3354,
    level: 12,
    status: 'enabled',
    details: {
      frequency: '$POSTFIX_FREQ',
      timeframe: '120',
      if_matched_sid: '3304',
      same_source_ip: '',
    },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['multiple_spam', 'syslog', 'postfix'],
    description: 'Postfix: Multiple misuse of SMTP service (bad sequence of commands).',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3355,
    level: 10,
    status: 'enabled',
    details: {
      frequency: '$POSTFIX_FREQ',
      timeframe: '120',
      if_matched_sid: '3305',
      same_source_ip: '',
    },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: {
      tactic: ['Collection', 'Impact'],
      id: ['T1114', 'T1499'],
      technique: ['Email Collection', 'Endpoint Denial of Service'],
    },
    groups: ['multiple_spam', 'syslog', 'postfix'],
    description:
      'Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain.',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3356,
    level: 10,
    status: 'enabled',
    details: {
      frequency: '$POSTFIX_FREQ',
      timeframe: '120',
      ignore: '30',
      if_matched_sid: '3306',
      same_source_ip: '',
    },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] },
    groups: ['multiple_spam', 'syslog', 'postfix'],
    description:
      'Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked).',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3357,
    level: 10,
    status: 'enabled',
    details: {
      frequency: '8',
      timeframe: '120',
      ignore: '60',
      if_matched_sid: '3332',
      same_source_ip: '',
    },
    pci_dss: ['10.2.4', '10.2.5', '11.4'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7', 'SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] },
    groups: ['authentication_failures', 'syslog', 'postfix'],
    description: 'Postfix: Multiple SASL authentication failures.',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3396,
    level: 6,
    status: 'enabled',
    details: { if_sid: '3395', match: 'verification' },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'postfix'],
    description: 'Postfix: hostname verification failed',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3397,
    level: 6,
    status: 'enabled',
    details: { if_sid: '3395', match: 'RBL' },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'postfix'],
    description: 'Postfix: RBL lookup error: Host or domain name not found',
  },
  {
    filename: '0030-postfix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3398,
    level: 6,
    status: 'enabled',
    details: { if_sid: '3395', match: 'MAIL|does not resolve to address' },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] },
    groups: ['spam', 'syslog', 'postfix'],
    description: 'Postfix: Illegal address from unknown sender',
  },
  {
    filename: '0040-imapd_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3602,
    level: 3,
    status: 'enabled',
    details: { if_sid: '3600', match: 'Authenticated user=' },
    pci_dss: ['10.2.5'],
    gpg13: ['7.1'],
    gdpr: ['IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] },
    groups: ['authentication_success', 'syslog', 'imapd'],
    description: 'Imapd user login.',
  },
  {
    filename: '0040-imapd_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3651,
    level: 10,
    status: 'enabled',
    details: {
      frequency: '$IMAPD_FREQ',
      timeframe: '120',
      if_matched_sid: '3601',
      same_source_ip: '',
    },
    pci_dss: ['10.2.4', '10.2.5', '11.4'],
    gpg13: ['7.1'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7', 'SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] },
    groups: ['authentication_failures', 'syslog', 'imapd'],
    description: 'Imapd Multiple failed logins from same source ip.',
  },
  {
    filename: '0045-mailscanner_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3751,
    level: 6,
    status: 'enabled',
    details: { frequency: '8', timeframe: '180', if_matched_sid: '3702', same_source_ip: '' },
    pci_dss: ['10.6.1'],
    gpg13: ['4.12'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6'],
    tsc: ['CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Credential Access', 'Collection'],
      id: ['T1110', 'T1114'],
      technique: ['Brute Force', 'Email Collection'],
    },
    groups: ['multiple_spam', 'syslog', 'mailscanner'],
    description: 'mailscanner: Multiple attempts of spam.',
  },
  {
    filename: '0050-ms-exchange_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3851,
    level: 9,
    status: 'enabled',
    details: {
      frequency: '12',
      timeframe: '120',
      ignore: '120',
      if_matched_sid: '3801',
      same_source_ip: '',
    },
    pci_dss: ['10.6.1'],
    gpg13: ['4.12'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6'],
    tsc: ['CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Collection', 'Impact'],
      id: ['T1114', 'T1499'],
      technique: ['Email Collection', 'Endpoint Denial of Service'],
    },
    groups: ['multiple_spam', 'ms', 'exchange'],
    description: 'ms-exchange: Multiple e-mail attempts to an invalid account.',
  },
  {
    filename: '0050-ms-exchange_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3852,
    level: 9,
    status: 'enabled',
    details: {
      frequency: '14',
      timeframe: '120',
      ignore: '240',
      if_matched_sid: '3802',
      same_source_ip: '',
    },
    pci_dss: ['10.6.1'],
    gpg13: ['4.12'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6'],
    tsc: ['CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Collection', 'Impact'],
      id: ['T1114', 'T1499'],
      technique: ['Email Collection', 'Endpoint Denial of Service'],
    },
    groups: ['multiple_spam', 'ms', 'exchange'],
    description: 'ms-exchange: Multiple e-mail 500 error code (spam).',
  },
  {
    filename: '0055-courier_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3904,
    level: 3,
    status: 'enabled',
    details: { if_sid: '3900', match: '^LOGIN,' },
    pci_dss: ['10.2.5'],
    gpg13: ['7.1', '7.2'],
    gdpr: ['IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] },
    groups: ['authentication_success', 'syslog', 'courier'],
    description: 'Courier (imap/pop3) authentication success.',
  },
  {
    filename: '0055-courier_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3910,
    level: 10,
    status: 'enabled',
    details: { frequency: '12', timeframe: '30', if_matched_sid: '3902', same_source_ip: '' },
    pci_dss: ['10.2.4', '10.2.5', '11.4'],
    gpg13: ['7.1'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7', 'SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] },
    groups: ['authentication_failures', 'syslog', 'courier'],
    description: 'Courier brute force (multiple failed logins).',
  },
  {
    filename: '0055-courier_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 3911,
    level: 10,
    status: 'enabled',
    details: { frequency: '17', timeframe: '30', if_matched_sid: '3901', same_source_ip: '' },
    pci_dss: ['10.6.1', '11.4'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] },
    groups: ['recon', 'syslog', 'courier'],
    description: 'Courier: Multiple connection attempts from same source.',
  },
  {
    filename: '0065-pix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4323,
    level: 3,
    status: 'enabled',
    details: { if_sid: '4314', id: '^6-605005' },
    pci_dss: ['10.2.5'],
    gpg13: ['7.8'],
    gdpr: ['IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] },
    groups: ['authentication_success', 'syslog', 'pix'],
    description: 'PIX: Successful login.',
  },
  {
    filename: '0065-pix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4325,
    level: 8,
    status: 'enabled',
    details: { if_sid: '4313', id: '^4-405001' },
    pci_dss: ['10.6.1'],
    gpg13: ['4.12'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6'],
    tsc: ['CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Command and Control'],
      id: ['T1095'],
      technique: ['Standard Non-Application Layer Protocol'],
    },
    groups: ['syslog', 'pix'],
    description: 'PIX: ARP collision detected.',
  },
  {
    filename: '0065-pix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4335,
    level: 3,
    status: 'enabled',
    details: { if_sid: '4314', id: '^6-113004' },
    pci_dss: ['10.2.5'],
    gpg13: ['7.1', '7.2'],
    gdpr: ['IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] },
    groups: ['authentication_success', 'syslog', 'pix'],
    description: 'PIX: AAA (VPN) authentication successful.',
  },
  {
    filename: '0065-pix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4336,
    level: 8,
    status: 'enabled',
    details: { if_sid: '4314', id: '^6-113006' },
    pci_dss: ['10.2.4', '10.2.5'],
    gpg13: ['7.1', '7.5'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Initial Access'], id: ['T1133'], technique: ['External Remote Services'] },
    groups: ['authentication_failed', 'syslog', 'pix'],
    description: 'PIX: AAA (VPN) user locked out.',
  },
  {
    filename: '0065-pix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4337,
    level: 8,
    status: 'enabled',
    details: { if_sid: '4312', id: '^3-201008' },
    pci_dss: ['10.6.1'],
    gpg13: ['4.12'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6'],
    tsc: ['CC7.2', 'CC7.3'],
    mitre: { tactic: ['Initial Access'], id: ['T1133'], technique: ['External Remote Services'] },
    groups: ['service_availability', 'syslog', 'pix'],
    description: 'PIX: The PIX is disallowing new connections.',
  },
  {
    filename: '0065-pix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4339,
    level: 8,
    status: 'enabled',
    details: { if_sid: '4314', id: '^5-111003' },
    pci_dss: ['1.1.1', '10.4'],
    gpg13: ['4.13'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.a.1', '164.312.b'],
    nist_800_53: ['CM.3', 'CM.5', 'AU.8'],
    tsc: ['CC8.1', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] },
    groups: ['config_changed', 'syslog', 'pix'],
    description: 'PIX: Firewall configuration deleted.',
  },
  {
    filename: '0065-pix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4340,
    level: 8,
    status: 'enabled',
    details: { if_sid: '4314', id: '^5-111005|^5-111004|^5-111002|^5-111007' },
    pci_dss: ['1.1.1', '10.4'],
    gpg13: ['4.13'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.a.1', '164.312.b'],
    nist_800_53: ['CM.3', 'CM.5', 'AU.8'],
    tsc: ['CC8.1', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] },
    groups: ['config_changed', 'syslog', 'pix'],
    description: 'PIX: Firewall configuration changed.',
  },
  {
    filename: '0065-pix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4342,
    level: 8,
    status: 'enabled',
    details: { if_sid: '4314', id: '^5-502101|^5-502102' },
    pci_dss: ['8.1.2', '10.2.5'],
    gpg13: ['4.13'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.a.2.I', '164.312.a.2.II', '164.312.b'],
    nist_800_53: ['AC.2', 'IA.4', 'AU.14', 'AC.7'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Defense Evasion', 'Initial Access'],
      id: ['T1089', 'T1133'],
      technique: ['Disabling Security Tools', 'External Remote Services'],
    },
    groups: ['adduser', 'account_changed', 'syslog', 'pix'],
    description: 'PIX: User created or modified on the Firewall.',
  },
  {
    filename: '0065-pix_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4386,
    level: 10,
    status: 'enabled',
    details: { frequency: '10', timeframe: '240', if_matched_sid: '4334', same_source_ip: '' },
    pci_dss: ['11.4', '10.2.4', '10.2.5'],
    gpg13: ['7.1'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['SI.4', 'AU.14', 'AC.7'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Credential Access', 'Initial Access'],
      id: ['T1110', 'T1133'],
      technique: ['Brute Force', 'External Remote Services'],
    },
    groups: ['authentication_failures', 'syslog', 'pix'],
    description: 'PIX: Multiple AAA (VPN) authentication failures.',
  },
  {
    filename: '0070-netscreenfw_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4505,
    level: 11,
    status: 'enabled',
    details: { if_sid: '4503', id: '^00027' },
    pci_dss: ['1.4', '10.6.1'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.a.1', '164.312.b'],
    nist_800_53: ['SC.7', 'AU.6'],
    tsc: ['CC6.7', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Impact'], id: ['T1485'], technique: ['Data Destruction'] },
    groups: ['service_availability', 'netscreenfw'],
    description: 'Netscreen Erase sequence started.',
  },
  {
    filename: '0070-netscreenfw_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4506,
    level: 8,
    status: 'enabled',
    details: { if_sid: '4501', id: '^00002' },
    pci_dss: ['10.2.5', '10.2.2'],
    gpg13: ['7.8'],
    gdpr: ['IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7', 'AC.6'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] },
    groups: ['authentication_success', 'netscreenfw'],
    description: 'Netscreen firewall: Successfull admin login',
  },
  {
    filename: '0070-netscreenfw_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4507,
    level: 8,
    status: 'enabled',
    details: { if_sid: '4502', id: '^00515' },
    pci_dss: ['10.2.5', '10.2.2'],
    gpg13: ['7.8'],
    gdpr: ['IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7', 'AC.6'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] },
    groups: ['authentication_success', 'netscreenfw'],
    description: 'Netscreen firewall: Successfull admin login',
  },
  {
    filename: '0070-netscreenfw_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4509,
    level: 8,
    status: 'enabled',
    details: { if_sid: '4504', id: '^00767' },
    pci_dss: ['1.1.1'],
    gpg13: ['4.12'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.a.1'],
    nist_800_53: ['CM.3', 'CM.5'],
    tsc: ['CC8.1'],
    mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] },
    groups: ['config_changed', 'netscreenfw'],
    description: 'Netscreen firewall: configuration changed.',
  },
  {
    filename: '0070-netscreenfw_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4550,
    level: 10,
    status: 'enabled',
    details: {
      frequency: '6',
      timeframe: '180',
      ignore: '60',
      if_matched_sid: '4503',
      same_source_ip: '',
    },
    pci_dss: ['1.4', '10.6.1', '11.4'],
    gpg13: ['4.1'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.a.1', '164.312.b'],
    nist_800_53: ['SC.7', 'AU.6', 'SI.4'],
    tsc: ['CC6.7', 'CC6.8', 'CC7.2', 'CC7.3', 'CC6.1'],
    mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] },
    groups: ['netscreenfw'],
    description: 'Netscreen firewall: Multiple critical messages from same source IP.',
  },
  {
    filename: '0070-netscreenfw_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4551,
    level: 10,
    status: 'enabled',
    details: { frequency: '8', timeframe: '180', ignore: '60', if_matched_sid: '4503' },
    mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] },
    groups: ['netscreenfw'],
    description: 'Netscreen firewall: Multiple critical messages.',
  },
  {
    filename: '0075-cisco-ios_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4722,
    level: 3,
    status: 'enabled',
    details: { if_sid: '4715', id: '^%SEC_LOGIN-5-LOGIN_SUCCESS' },
    pci_dss: ['10.2.5'],
    gpg13: ['3.6'],
    gdpr: ['IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] },
    groups: ['authentication_success', 'syslog', 'cisco_ios'],
    description: 'Cisco IOS: Successful login to the router.',
  },
  {
    filename: '0080-sonicwall_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4810,
    level: 3,
    status: 'enabled',
    details: { if_sid: '4806', id: '^236$' },
    pci_dss: ['10.2.5'],
    gpg13: ['3.6'],
    gdpr: ['IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] },
    groups: ['authentication_success', 'syslog', 'sonicwall'],
    description: 'SonicWall: Firewall administrator login.',
  },
  {
    filename: '0080-sonicwall_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 4851,
    level: 10,
    status: 'enabled',
    details: { frequency: '8', timeframe: '120', ignore: '60', if_matched_sid: '4803' },
    pci_dss: ['10.6.1'],
    gpg13: ['3.5'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6'],
    tsc: ['CC7.2', 'CC7.3'],
    mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] },
    groups: ['service_availability', 'syslog', 'sonicwall'],
    description: 'SonicWall: Multiple firewall error messages.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5103,
    level: 9,
    status: 'enabled',
    details: { if_sid: '5100', match: 'Oversized packet received from' },
    gdpr: ['IV_35.7.d'],
    mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] },
    groups: ['syslog', 'linuxkernel'],
    description: 'Error message from the kernel. Ping of death attack.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5104,
    level: 8,
    status: 'enabled',
    details: {
      if_sid: '5100',
      regex: ['Promiscuous mode enabled|', 'device S+ entered promiscuous mode'],
    },
    pci_dss: ['10.6.1', '11.4'],
    gpg13: ['4.13'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6', 'SI.4'],
    tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'],
    mitre: { tactic: ['Discovery'], id: ['T1040'], technique: ['Network Sniffing'] },
    groups: ['promisc', 'syslog', 'linuxkernel'],
    description: 'Interface entered in promiscuous(sniffing) mode.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5108,
    level: 12,
    status: 'enabled',
    details: { if_sid: '5100', match: 'Out of Memory: ' },
    pci_dss: ['10.6.1'],
    gpg13: ['4.12'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6'],
    tsc: ['CC7.2', 'CC7.3'],
    mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] },
    groups: ['service_availability', 'syslog', 'linuxkernel'],
    description: 'System running out of memory. Availability of the system is in risk.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5113,
    level: 7,
    status: 'enabled',
    details: { if_sid: '5100', match: 'Kernel log daemon terminating' },
    pci_dss: ['10.6.1'],
    gpg13: ['4.14'],
    gdpr: ['IV_35.7.d'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.6'],
    tsc: ['CC7.2', 'CC7.3'],
    mitre: { tactic: ['Impact'], id: ['T1529'], technique: ['System Shutdown/Reboot'] },
    groups: ['system_shutdown', 'syslog', 'linuxkernel'],
    description: 'System is shutting down.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5132,
    level: 11,
    status: 'enabled',
    details: { if_sid: '5100', match: 'module verification failed' },
    mitre: { tactic: ['Persistence'], id: ['T1215'], technique: ['Kernel Modules and Extensions'] },
    groups: ['syslog', 'linuxkernel'],
    description: 'Unsigned kernel module was loaded',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5133,
    level: 11,
    status: 'enabled',
    details: { if_sid: '5100', match: 'PKCS#7 signature not signed with a trusted key' },
    mitre: { tactic: ['Persistence'], id: ['T1215'], technique: ['Kernel Modules and Extensions'] },
    groups: ['syslog', 'linuxkernel'],
    description: 'Signed but untrusted kernel module was loaded',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5302,
    level: 9,
    status: 'enabled',
    details: { if_sid: '5301', user: '^root' },
    pci_dss: ['10.2.4', '10.2.5'],
    gpg13: ['7.8'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3', 'CC7.4'],
    mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] },
    groups: ['authentication_failed', 'syslog', 'su'],
    description: 'User missed the password to change UID to root.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5303,
    level: 3,
    status: 'enabled',
    details: {
      if_sid: '5300',
      regex: [
        "session opened for user root|^'su root'|",
        '^+ S+ S+proot$|^S+ to root on|^SU S+ S+ + S+ S+-root$',
      ],
    },
    pci_dss: ['10.2.5'],
    gpg13: ['7.6', '7.8', '7.9'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] },
    groups: ['authentication_success', 'syslog', 'su'],
    description: 'User successfully changed UID to root.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5304,
    level: 3,
    status: 'enabled',
    details: {
      if_sid: '5300',
      regex: ['session opened for user|succeeded for|', '^+|^S+ to |^SU S+ S+ + '],
    },
    pci_dss: ['10.2.5'],
    gpg13: ['7.6', '7.8'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] },
    groups: ['authentication_success', 'syslog', 'su'],
    description: 'User successfully changed UID.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5401,
    level: 5,
    status: 'enabled',
    details: { if_sid: '5400', match: 'incorrect password attempt' },
    pci_dss: ['10.2.4', '10.2.5'],
    gpg13: ['7.8'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] },
    groups: ['syslog', 'sudo'],
    description: 'Failed attempt to run sudo.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5402,
    level: 3,
    status: 'enabled',
    details: { if_sid: '5400', regex: ' ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND=' },
    pci_dss: ['10.2.5', '10.2.2'],
    gpg13: ['7.6', '7.8', '7.13'],
    gdpr: ['IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7', 'AC.6'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] },
    groups: ['syslog', 'sudo'],
    description: 'Successful sudo to ROOT executed.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5403,
    level: 4,
    status: 'enabled',
    details: { if_sid: '5400', if_fts: '' },
    mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] },
    groups: ['syslog', 'sudo'],
    description: 'First time user executed sudo.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5404,
    level: 10,
    status: 'enabled',
    details: { if_sid: '5401', match: '3 incorrect password attempts' },
    pci_dss: ['10.2.4', '10.2.5'],
    gpg13: ['7.8'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] },
    groups: ['syslog', 'sudo'],
    description: 'Three failed attempts to run sudo',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5405,
    level: 5,
    status: 'enabled',
    details: { if_sid: '5400', match: 'user NOT in sudoers' },
    pci_dss: ['10.2.2', '10.2.5'],
    gpg13: ['7.8'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.6', 'AC.7'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] },
    groups: ['syslog', 'sudo'],
    description: 'Unauthorized user attempted to use sudo.',
  },
  {
    filename: '0020-syslog_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5407,
    level: 3,
    status: 'enabled',
    details: { if_sid: '5400', regex: ' ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND=' },
    pci_dss: ['10.2.5', '10.2.2'],
    gpg13: ['7.6', '7.8', '7.13'],
    gdpr: ['IV_32.2'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] },
    groups: ['syslog', 'sudo'],
    description: 'Successful sudo executed.',
  },
  {
    filename: '0085-pam_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5501,
    level: 3,
    status: 'enabled',
    details: { if_sid: '5500', match: 'session opened for user ' },
    pci_dss: ['10.2.5'],
    gpg13: ['7.8', '7.9'],
    gdpr: ['IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7'],
    tsc: ['CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] },
    groups: ['authentication_success', 'pam', 'syslog'],
    description: 'PAM: Login session opened.',
  },
  {
    filename: '0085-pam_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5551,
    level: 10,
    status: 'enabled',
    details: { frequency: '8', timeframe: '180', if_matched_sid: '5503', same_source_ip: '' },
    pci_dss: ['10.2.4', '10.2.5', '11.4'],
    gpg13: ['7.8'],
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    hipaa: ['164.312.b'],
    nist_800_53: ['AU.14', 'AC.7', 'SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] },
    groups: ['authentication_failures', 'pam', 'syslog'],
    description: 'PAM: Multiple failed logins in a small period of time.',
  },
  {
    filename: '0090-telnetd_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5601,
    level: 5,
    status: 'enabled',
    details: { if_sid: '5600', match: 'refused connect from ' },
    gdpr: ['IV_35.7.d'],
    mitre: {
      tactic: ['Command and Control'],
      id: ['T1095'],
      technique: ['Standard Non-Application Layer Protocol'],
    },
    groups: ['syslog', 'telnetd'],
    description: 'telnetd: Connection refused by TCP Wrappers.',
  },
  {
    filename: '0090-telnetd_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5631,
    level: 10,
    status: 'enabled',
    details: { frequency: '6', timeframe: '120', if_matched_sid: '5602', same_source_ip: '' },
    gdpr: ['IV_35.7.d', 'IV_32.2'],
    mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] },
    groups: ['syslog', 'telnetd'],
    description: 'telnetd: Multiple connection attempts from same source (possible scan).',
  },
  {
    filename: '0095-sshd_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5701,
    level: 8,
    status: 'enabled',
    details: { if_sid: '5700', match: 'Bad protocol version identification' },
    pci_dss: ['11.4'],
    gpg13: ['4.12'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Initial Access'],
      id: ['T1190'],
      technique: ['Exploit Public-Facing Application'],
    },
    groups: ['recon', 'syslog', 'sshd'],
    description: 'sshd: Possible attack on the ssh server (or version gathering).',
  },
  {
    filename: '0095-sshd_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5703,
    level: 10,
    status: 'enabled',
    details: { frequency: '6', timeframe: '360', if_matched_sid: '5702', same_source_ip: '' },
    pci_dss: ['11.4'],
    gpg13: ['4.12'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] },
    groups: ['syslog', 'sshd'],
    description: 'sshd: Possible breakin attempt (high number of reverse lookup errors).',
  },
  {
    filename: '0095-sshd_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5705,
    level: 10,
    status: 'enabled',
    details: { frequency: '6', timeframe: '360', if_matched_sid: '5704' },
    pci_dss: ['11.4'],
    gpg13: ['4.12'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: {
      tactic: ['Initial Access', 'Credential Access'],
      id: ['T1190', 'T1110'],
      technique: ['Exploit Public-Facing Application', 'Brute Force'],
    },
    groups: ['syslog', 'sshd'],
    description: 'sshd: Possible scan or breakin attempt (high number of login timeouts).',
  },
  {
    filename: '0095-sshd_rules.xml',
    relative_dirname: 'ruleset/rules',
    id: 5706,
    level: 6,
    status: 'enabled',
    details: { if_sid: '5700', match: 'Did not receive identification string from' },
    pci_dss: ['11.4'],
    gpg13: ['4.12'],
    gdpr: ['IV_35.7.d'],
    nist_800_53: ['SI.4'],
    tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'],
    mitre: { tactic: ['Command and Control'], id: ['T1043'], technique: ['Commonly Used Port'] },
    groups: ['recon', 'syslog', 'sshd'],
    description: 'sshd: insecure connection attempt (scan).',
  },
];

export const arrayLocation = ['EventChannel', '/var/log/auth.log', '/var/log/secure'];
